Use Terraform to Manage CloudGuard WAF

The CloudGuard WAF Terraform provider allows configuration of all aspects of CloudGuard WAF using Infrastructure as Code (IaC).

Terraform uses the concept of Providers to provide an open-source feature-rich plugin system. Providers adopt specific conventions programmatically that allow them to express the CRUD lifecycle of individual resources and how to maintain and verify the state of existing deployed resources.

The deployment option for WAF SaaS is currently not available. We are actively working on developing a Terraform provider for our WAF SaaS deployment option and will notify our users once it becomes available.

Terraform Resources

The terraform files and usage examples are available in 2 locations:

  1. The origin GitHub repository for the Terraform registry.

API Keys For Terraform Provider Access

Step 1: Get API Keys

Follow the "Create an API Key" action in the Management API reference guide.

We strongly recommend that you store the credentials in a secured and authenticated location, like HashiCorp's vault or other vault.

Step 2: Use the API Keys in Terraform Provider

The API Keys' credentials can be used by the provider in 3 different methods:

  1. Saved in the environment variables INEXT_CLIENT_ID and INEXT_ACCESS_KEY.

  2. (Less secure) Explicitly set within the terraform file using the client_id and access_key fields in the provider block, as seen in the example tf files in this documentation.

  3. Terraform input variables.

When keys are stored in a vault, make sure to have a protected process to inject the keys from the vault into Terraform Provider, without additional systems being able to access them.

Using the Terraform Provider

A terraform file includes a list of the terraform providers to use. Make sure the following is added to the beginning of each of your terraform files:

terraform {
  required_providers {
    inext = {
      version = "~> 1.0.0"
      source  = "CheckPointSW/infinity-next"
    }
  }
}

provider "inext" {
  region = "<DATA_REGION>"
  # client_id = "<CLIENT_ID>" # optional method for sending API Keys
  # access_key = "<ACCESS_KEY>" # optional method for sending API Keys
}

Terraform Input Variables for the "inext" provider

Region

According to your tenant's data residency as can be seen in Global Settings->Account Settings.

Data ResidencyValue for "region" parameter

Ireland

eu

United States

us

API Keys

client_id and access_key - optional variables, as explained above, providing another method of sending the API keys.

Enforce Tool

A unique aspect to using CloudGuard WAF is the "Enforce" action.

Terraform is used to configure the system and create a configuration state that can be changed when required. However, "Enforce" is not a state but a single action that tells CloudGuard WAF to pass the configured security to the agents.

In essence, all changes that are made when running terraform apply are done under a session of the configured API key. In CloudGuard WAF, each session must be published to be able to enforce your configured policies on your assets. Think of it as committing your changes to be able to make a release.

It is normally performed after every configuration change, but it is not an inherent action to configuration changes. For this reason there is a separate tool provided to processes to enforce the policy configuration.

Enforce Tool Download

The "Enforce" CLI tool is available through our GitHub repository.

This repository includes a CLI utility for this exact use case, which includes 2 commands: publish and enforce.

Enforce Tool Usage

There are three options to pass the client ID, access key and region when publishing or enforcing a policy using the CLI:

  1. Option 1: Set the environment variables: INEXT_REGION, INEXT_CLIENT_ID and INEXT_ACCESS_KEY and run inext <command> Using this method right after terraform apply will use the same environment variables that were already injected in the method of your choosing.

  2. Option 2: Set credentials using command line parameters--client-id (shorthand -c) for client ID,--access-key (shorthand -k) for the access key, and -r for region.

    inext <command> -c $INEXT_CLIENT_ID -k $INEXT_ACCESS_KEY -r us

  3. Option 3: Create a yaml file at ~/.inext.yaml with the following content:

    client-id: <INEXT_CLIENT_ID>
    access-key: <INEXT_ACCESS_KEY>
    region: eu

    Run inext <command>and the CLI would use the file ~/.inext.yaml by default, you could also configure a different path for this configuration file using: inext --config <path> enforce

Example Terraform Files

We are providing example Terraform files to both test and use as a baseline for your configurations.

Download

See the links to the Terraform Resources at the top of the page. Each option also includes the example files.

Usage

  1. Make sure you install Terraform according to the instructions in the Terraform website.

  2. Open a command line to the folder where the example file was unzipped.

  3. For the example, set the environment variables using the export command to your API keys. Otherwise, as noted in the API Keys section, create a secure process to transfer the API Keys from a secure location like a vault to the terraform deployment process.

  4. Edit the Terraform files if you wish to adjust the example.

  5. Run: terraform init

  6. Run terraform apply, verify that the resource is planned for creation, enter yes, and press Enter.

  7. You can verify the configuration was applied by browsing to Infinity Portal and watching the objects in the Web UI.

Last updated